hi, Jouni,
thanks for ur response:)
I have some questions about ur letter:
1. I find that is 802.11i, it is said that:
The GTK shall be derived from the GMK by
GTK ← PRF-X(GMK, “Group key expansion” || AA ||
GNonce)
TKIP uses X = 256, CCMP uses X = 128 and WEP use X =
40 or X = 104. AA is represented as an IEEE 802
address and GNonce as a bit string as defined in
7.1.1.
AA is the AP's bssid, and if there is only ONE bssid
or ONE VAP, how can I generate two different GTKs?
I read the hostap's source and find that it will
create
different GMK by "hostapd_get_rand". Is it because the
function be called at different time to generate
different GMK, and then to generate different GTK?
2. My imagination on "vlan/bcast domain's isolation"
is as follow:
VLAN1 VLAN2
\ /
\ /
GTK1 \ / GTK2
AP
/\
/ \
/ \
staA staB
AP will encrypt VLAN1's message with GTK1, so the
staA(it has GTK1) will decrypt every messages from
vlan1 but can not decrypt bcast/mcast message from
vlan2. And so does staB.
The AP here must maitain 2 different GTKs in its
driver
and hardware. And in my wlan, the AP(atheros AR5212,
madwifi) can be set the GTK as "MAC --- GTK".
If there is a bcast of vlan1, the mac is
ff:ff:ff:ff:ff:ff, it will encrypted by GTK1. Some
time
later, staB associate with AP and after 4-way
handshark
get the new GTK2 from AP(in hostap's codes, AP will
set the new GTK2 to driver and the driver will set
the new GTK2 to hardware). Then staB will recevie all
message not only from vlan2 but also form vlan2
(because all the bcast messages will be encrypted by
GTK2).
According to Jouni's letter, if wlan is deployed with
ath9k + mac80211-based drivers + hostap + some kernel
patch, the function above will be realized??
If it does, where to obtain the ath9k's mac80211-based
drivers?
What is the "a minimal patch to enable AP mode in the
kernel code" and where to obtain it?
Thank u very much and looks forward ur response.
Best regards,
WangYue
--- Jouni Malinen <j at w1.fi>写道:
> On Fri, Sep 19, 2008 at 01:47:14PM +0800, 王h wrote:
>> > I deployed hostap and madwifi on my wireless
> network.
> > And there are 2 questions i am confused:
> > 1.Can AP or VAP(both with only one ssid) have
> serveral
> > broadcast domain, and each domains are encrypted
> by
> > different bcast keys?
>> In theory, yes.
>> > If hostap does, can madwifi support this?
>> hostapd has support for this with the dynamic VLAN
> features (VLAN
> allocation based on either RADIUS server data or
> local configuration per
> MAC address). However, I do not think that madwifi
> supports this. The
> VLAN concept (multiple SSIDs/broadcast domains per
> BSS) is only
> supported with mac80211-based drivers at this point
> (e.g., ath9k and
> hopefully soon with ath5k) and even with that, at
> least a minimal patch
> to enable AP mode in the kernel code is still needed
> since this is still
> disabled in the mainline Linux kernel.
>> > 2.I read the hostap's source and find function:
> > ap_sta_bind_vlan.
> > The funcions: vlan_setup_encryption_dyn and
> > wpa_auth_sta_set_vlan are able to set different
> keys
> > to different vlans?
>> Yes.
>> > If 1 and 2 are realized by hostap, does this
> function
> > (different bcast domian or vlan has differnet b
> cast
> > keys) have to be connected with radius auth?
>> This used to be available only with RADIUS server
> reporting the selected
> VLAN ID with Tunnel-Private-Group-ID attribute.
> However, it is now
> (starting with v0.6.5) possible to configure this
> locally with the
> accept_mac_file data.
>> > Should i call the function "ap_sta_bind_vlan"
> > somewhere instead of configuration radius server?
>> That is already taken care of for you in the current
> development branch
> assuming you would be doing VLAN assignment based on
> local
> accept_mac_file configuration.
>> --
> Jouni Malinen
> PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
>HostAP at lists.shmoo.com>http://lists.shmoo.com/mailman/listinfo/hostap>
___________________________________________________________
雅虎邮箱，您的终生邮箱！
http://cn.mail.yahoo.com/